TDS Installation Checklist for Production Security (Reference)

Initial Installation

Install Java

1. Download and install the latest version of JDK 1.7

Tomcat Install

1. Create a dedicated user and group for running Tomcat who does not have root privileges.
2. As this user, download and install the latest version of Tomcat 7. You must use a version of Tomcat >= 7.0.43.
3. In ${tomcat_home}/bin create a setenv.sh shell script, and set the values of JAVA_HOME, and CATALINA_BASE and CONTENT_ROOT. These each have to be customized to your installation. For example:

   #!/bin/sh
   JAVA_HOME="/usr/local/tds/jdk1.7.0_60"  
   export JAVA_HOME
             
   CATALINA_BASE="/usr/local/tds/apache-tomcat-7.0.42"  
   export CATALINA_BASE
   
   CONTENT_ROOT= "-Dtds.content.root.path=/opt/tds-live/content"

   Also in setenv.sh, set CATALINA_OPTS, for example:

   # modify these if you wish, or use as is
   NORMAL="-Xmx4g -Xms512m -server"
   
   # no longer needed in Java 8
   MAX_PERM_GEN="-XX:MaxPermSize=256m"
   
   # just use these as specified
   HEADLESS="-Djava.awt.headless=true"
   JAVA_PREFS="-Djava.util.prefs.systemRoot=$CATALINA_HOME/content/thredds/javaUtilPrefs -Djava.util.prefs.userRoot=$CATALINA_HOME/content/thredds/javaUtilPrefs"
   
   CATALINA_OPTS="$NORMAL $CONTENT_ROOT $MAX_PERM_GEN $HEADLESS $JAVA_PREFS"
   export CATALINA_OPTS

   (You can use JAVA_OPTS instead of CATALINA_OPTS, but JAVA_OPTS is used for any Java program, and CATALINA_OPTS is only used by Tomcat.)
   
4. Purchase a real certificate from a certificate authority, so users are not confused and question the legitimacy of your web site.
5. Make the following modifications to ${tomcat_home}/conf/server.xml:
• Enable digest passwords by commenting out the UserDatabaseRealm and enabling the MemoryRealm.
• Enable SSL by uncommenting the SSL Connector listening on port 8443, and add the required keystoreFile and keystorePass attributes.
• Enable compression by adding compression and compressableMimeType attributes to 8080 Connector.
• Enable access logging by uncommenting the AccessLogValve and change the prefix and suffix and pattern attributes.
6. For each user, create a SHA1 password digest using the ${tomcat_home}/bin/digest.sh script or an online service such as http://www.freeformatter.com/message-digest.html
7. Make the following modifications to ${tomcat_home}/conf/tomcat-users.xml:
• Define the roles manager-gui and tdsConfig and tdsMonitor.
• Add yourself as a user with the roles manager-gui and tdsConfig using your digest password your created in step #6 above.

<?xml version='1.0' encoding='utf-8'?>
<tomcat-users>
 <role rolename="manager-gui"/>
 <role rolename="tdsConfig" description="can change THREDDS configuration files"/>
 <role rolename="tdsMonitor" description="can download THREDDS log files"/>
 <role rolename="tdsTrigger" description="can trigger featureCollection reloads"/>

 <user username="generalissimo" password="digest1" roles="manager-gui"/>
 <user username="capitan" password="digest2" roles="tdsTrigger,tdsConfig,tdsMonitor"/>
 <user username="tdm" password="digest3" roles="tdsTrigger"/>
</tomcat-users>

8. Make the following modifications to ${tomcat_home}/webapps/manager/WEB-INF/web.xml:
1. Make sure the manager is only available via SSL by adding a user-data-constraint with a transport-guarantee of CONFIDENTIAL inside the security-constraint element.
2. DO NOT ENABLE THE MANAGER WITHOUT RESTRICTING TO SSL ACCESS ONLY. (!)
9. Remove any unused applications from ${tomcat_home}/webapps.
10. (optional) Build netCDF-C library on your server. Standard install directory is /opt/netcdf.

TDS Install

1. Download the latest thredds.war file, and put it into ${tomcat_home}/webapps.
2. Start/restart Tomcat so that it has a chance to create initial files in ${tomcat_home}/content/thredds (optional).
3. Modify ${tomcat_home}/content/thredds/catalog.xml for your site, as in this example.
4. Modify  ${tomcat_home}/content/thredds/threddsConfig.xml for your site in the following manner:
• Add the needed information to the serverInformation element
• Enable any other optional services like WMS or WCS.
5. If needed, limit access to the TDS and create a robots.txt file in ${tomcat_home}/webapps/ROOT/ to restrict crawler activity.

Maintenance and Upgrades

Maintenance

Be sure to periodically check to make sure you are running the latest versions of Java, Tomcat and the TDS.

• If you have enabled access logging (and you should), zip up the unused access logs in ${tomcat_home}/logs/ and archive them off to another directory.
• Likewise, zip up the unused TDS servlet logs in ${tomcat_home}/content/thredds/logs and archive them as well.

Upgrading the TDS

When installing a new thredds.war, everything in ${tomcat_home}/webapps/ is overwritten. However, nothing in ${tomcat_home}/content/ is overwritten.

Use one of the following methods to deploying a new version of the TDS

• Tomcat manager application
• manual installation